Samsung SmartThings Platform Latest To Highlight Internet Of Things Security Is A Joke

from the just-buy-a-dog dept

Stop us if you've heard this one before: a new study has found that the "Internet of Things" may bring some added convenience, but at the high price of severe security vulnerabilities. Researchers at the University of Michigan say they've uncovered (pdf) some major new vulnerabilities in Samsung's SmartThings platform that could allow an attacker to unlock doors, modify home access codes, create false smoke detector alarms, or put security and automation devices into vacation mode. Researchers say this can be done by tricking users into either installing a malicious app from the SmartThings store, or by clicking a malicious link.

The URL attack relies on SmartThings' flawed implementation of the OAuth authentication protocol. In short, a malicious URL can be used to trick the consumer into giving up his login tokens without the slightest indication anything has gone wrong, but providing an attacker with the ability to create his own backdoor -- into your front door:

"Broadly, this part of the attack involves getting a victim to click on a link that points to the authentic SmartThings domain with only the redirect_uri portion of the link replaced with an attacker controlled domain. The victim should not suspect anything since the URL indeed takes the victim to the genuine HTTPS login page of SmartThings. Once the victim logs in to the real SmartThings Web page, SmartThings automatically redirects to the specified redirect URI with a 6 character codeword. At this point, the attacker can complete the OAuth flow using the codeword and the client ID and secret pair obtained from the third-party app’s bytecode independently."

If the malicious URL approach isn't used, attackers can also rely on tricking consumers into downloading a malicious app that -- for example -- might claim to offer you insight into device battery consumption, but can actually also give an attacker the keys to your kingdom. This is in part, the researchers note, due to the fact that 42% of over 500 apps in the SmartThings store are are given significantly more system privileges than they actually need to accomplish the task at hand:

"We found that SmartApps were significantly overprivileged: (a) 55% of SmartApps did not use all the rights to device operations that their requested capabilities implied; and (b)
42% of SmartApps were granted capabilities that were not explicitly requested or used. In many of these cases, overprivilege was unavoidable, due to the device-level authorization design of the capability model and occurred through no fault of the developer. Worryingly, we have observed that 68 existing SmartApps are already taking advantage of the overprivilege to provide extra features, without requesting the relevant capabilities.

"The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios - the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure," a SmartThings representative said. "Following this report, we have updated our documented best practices to provide even better security guidance to developers."

The problem is the report clearly notes that neither of these two scenarios is all that unlikely. In an admittedly small survey of 22 SmartThings users, the study found that 91% would let a battery monitoring app check the status of their smart lock. But quite justly, just 14% of those polled believed that providing such access would somehow involve the app being able to send door access codes to a remote server. The study, and Samsung's reaction to it, are just another example of how if you really want a smart and secure home, "dumber" solutions -- like dead bolts and a dog -- remain the more intelligent option.

Re:

Re:

I can see certain appeal in it but currently I will wait for a later generation. Looking at it from an economical point of view, I wouldn't mind having smart power outlets that let me know what is consuming power. Also have the ability to manage the power of those outlets so I can schedule them. The other part I wouldn't mind having is if my alarms could trigger my phone. Either way, when I do decide to make the jump, it will probably be something that is opensource.

Response to: Anonymous Coward on May 3rd, 2016 @ 6:57am

You won't see them hanging around a tech blog. Talk to a cable tech or tech support operator. A tech can keep me occupied telling me stories of people with smart coffee makers, ovens fridges and now everyone is getting into security systems. No one asks about security.

Re:

"Who actually buys these voyeuristic devices?"

I do.

And, I've solved two robberies with them, and one liability question. One a motorcycle next door where I could identify the vehicle. For liability, a dump truck cut cables by mistake, and I could identify the company from the logo on the door.

Both of those are camera functions, though. In my main home, My Smartthings setup is relegated to control of lights.

But at a lake house in Canada, I connected a door lock too. I use the IoT features to alert me when the front door is unlocked, to program door codes, and to operate the HVAC.

This allows my family to save lots of money by lowering the thermostat way down in the winter, but activate the heater prior to going to the house. We use water sensors and cameras to alert us to potential ice and flood damage at lake level, and in the house.

The remote programming of the door locks allows us to give service personnel temporary access by programming a code for them that we promptly erase. By using IoT, NOBODY ever gets a key they can copy, nor a hiding spot for a physical key. This increases our safety.

Thus in my total experience, IoT has increased my safety, lowered my energy use, and solved two crimes and one liability.

I agree entirely with the uMich engineers in the video, however, there are benefits as well as costs of an IoT home. I have to weigh the security costs against these benefits, and in the end, I'm pretty sure the IoT smarthome is worth it.

One way to use these tools, but not be too exposed to risk is to silo them a little - that is, don't connect your light control system to your door locks. Don't install too many external apps, and to generally protect your home LAN with a good firewall.

Foscam cameras, for example, were known to have been hacked. If they were on the Internet, hackers could port sniff, find the cam, and view it. But if you had all your cams behind a gateway with a good firewall, you would be safe. Or even if you just password protect your cams beyond defaults.

Anyway, I don't kid myself that I'm not hackable. Everything is. But I try to make it hard, and I weigh the cost/benefit of the IoT.

Re: Re: Re:

I can't see anywhere where I "downplay risks". I merely say that uMich's assertion of "There are risks, so don't do it" negates a well-thought cost/benefit analysis. It also doesn't discuss some simple measures that can reduce that risk.

There absolutely are benefits that must be considered.

Also, the uMich risks are overstated. You see, hackers are scary because they can be anywhere in the world and attack your digital assets...but to go in your front door, thieves need to be physically present and risk physical arrest. But once they are physically present...

...what is the easier way to enter an IoT locked home? Hack the users phone to get at the user's IoT SmartThings base to hack the user's smartlock, or...ah...just break a window?

As long as these things remain insecure (and it seems they will for a long time) and I'm not in full control of them (ie: they don't snoop on my activity) I'll keep things as dumb as possible. This IoT thing can wait.

Re:

Re: Re:

Unclear on how turning a light on and kicking the teprature to where you want it when your house notices that the phone in your pocket logged onto the wifi network is somehow "the compulsion to seek sexual gratification by secretively looking at sexual objects or acts"

This isn't all that surprising

Coming from Samsung, the company that had security issues with quite a few of their own branded apps on their smartphones. Is it really all that surprising that the same problems would crop up again, only this time with their IoT app? Not to champion Apple over Samsung (Apple has their fair share of problems too), but it seems as if Samsung only cares about their users insofar as being beta testers. Their modus operandii, for a long time, has been, "We have your money, now go f*%k off."

I've implemented OAuth (2.0) on web service back ends and clients before. The security tokens used by this protocol MUST be kept confidential. If the token is leaked, it can be used to gain the same privileges as the intended user. It's a known and well documented problem that OAuth security can be compromised quite easily by a poorly written client if it divulges the token somehow. Samsung is technically correct, their is nothing wrong with OAuth (it's used all over the place online) but with the bad client (device) side implementation.

I own and use SmartThings devices in my home. I use the system for convenience, not security. If someone wants to break in my home, smashing some glass is far more likely a threat than a breach to the SmartThings hub. Pure security theater.

The attack vector described (install a malicious app / click a malicious link) still requires an inattentive human to take an action to trigger the exploit. A human has to make a bad decision to allow the system to be breached. I find nothing new or exciting about that.

Re:

There would be a major difference between IoT associated theft and smashing windows. Broken windows attract the neighbors' attention, and when you get home you immediately know there was a break-in. Consider if you have IoT devices which may or may not have a backdoor accessible to thieves. If something goes missing in your home, and let's say it's jewelry or a watch, and not something obvious like your TV, are you going to first suspect you misplaced it, or would you suspect a break-in. Are you now going to start checking your surveillance cameras every time you can't find something. If you don't trust your front door lock, are you going to trust your surveillance camera? There have been back doors reported in those as well.

We don't use Samsung, We use LG

We use LG for our TV, our fridge, our washing machine, our PVR even. What do all of these devices have in common? None of them connect to the internet! That's the way I like it. I don't think LG is better than Samsung, I just wanted you to think that with the topic title. Most of these things were rent-to-buy things anyway.